We Still haven’t Figured Out Cyber — Here’s What’s Coming Next
I’ve been in the security game for 20 years and I can tell you two concrete facts: 1) the security world is constantly evolving and 2) it hasn’t yet settled on an effective strategy. We’ve seen countless trends come and go, but people want to know what’s going to stick. In the early days of security, the perimeter was King. But over time, we’ve transferred to a find-and-fix mentality.
So first, much like a security program, we have to assess where we are, how we got here, and what’s working. In many ways, the pendulum has swung too far away from the perimeter era. We need to find the happy medium, and to do this, we need to stress-test what we’ve got. Enter: offensive security.
Offensive security can be boiled down to:
- Understanding your adversaries
- Accepting that you can’t fix everything
- Accepting that you can’t patch everything
- Proactively seeking the most important places to apply and improve best practices first
That is, we need to take the best lessons from our past, and be deliberate about where and to what degree we apply them. We can’t 100% patch, and we can’t get everything into a DMZ like we might have in the past, but with a little insight, we can prioritize fixes to juicy and high-impact targets, and we can absolutely put extra defenses around that one system with the keys to the kingdom — as long as we know it’s there.
How did we get here? — The Perimeter-Only Era
Security looks very different than it looked 20 years ago. In the early days of infosec, all roads led to the almighty perimeter. If you didn’t want hackers in your network, the best practice of the day dictated that you should throw all your resources at plugging up holes and reinforcing your primary external barrier. This was a great time, when we could readily apply the best practices (default-deny, segmentation, least-privilege, monitoring, testing), with a clear focus on putting all our web servers into the well-defended DMZ. By DMZ, I mean an area that is protected by firewalls blocking traffic on both sides of it.
This philosophy has its upsides. It is simple to implement and maintain: everything that touches the internet directly goes in a DMZ. The DMZ implements all those awesome defenses and lets us focus our hardening in a small number of locations. Our crown jewels get deeply buried, and nothing inside gets to talk directly to the internet. Connectivity out to the internet is restricted to a small number of aggressively monitored chokepoints.
These concepts are still valid. But they began to fall out of favor because endpoints exploded, became part of the perimeter, and then everything was the perimeter. As we know from the Incredibles, when everyone’s super, no one is. That is to say, once everything was high-priority, the very concept of prioritization went out the window. This led many security teams to drop the concept of the DMZ altogether in favor of a patch-first approach. This brings us to the find and fix era.
As a community, we still struggle to fully divest from the notion that chasing a perfect perimeter makes for a strong system. It’s not that the perimeter isn’t important — of course it is. 41 percent of ransomware attacks begin at the perimeter. But understand that even those 41 percent would have been fruitless if the systems had been resilient beyond the point of initial access.
We now know that a system must be resilient to attackers, even after they’ve compromised the external attack surface. The perimeter-only methodology only works as long as it is perfectly maintained. Imagine bringing home a puppy and securing only the doggy doors. 9 times out of ten, you will probably come home to a clean house. But with no gates, an open pantry and no cover on the kibble, if the puppy gets into your kitchen, cancel your evening plans.
Perimeter-based security boils down to:
- Default-Deny
- Segmentation
- Least-privilege
- Monitoring
- Testing
I see many defenders go wrong in assuming that because the perimeter can’t be 100% hardened, it is not worth hardening at all. But anything that needs to be internet-facing and has privileges should live inside a DMZ. This includes security appliances themselves, such as VPNs.
Where are we now? — The Find-and-Fix Era
Over time, the security world has come to look at the attack surface a bit more holistically, adding new protections and monitoring at various security checkpoints within the layers of the network. This is overall a very good thing for business and the introduction of solutions like MFA and EDR have certainly altered the constitution of the standard internal attack surface.
So problem solved right? Do you think if we go check the numbers, we’ll see that the rate of attacks has plummeted? You already know the answer. Over the past several years, cybersecurity spend has steadily increased, with US firms spending an average of $2.6 million per year. But even as firms open up their purse strings to attempt to curb their risk, large-scale data breaches in the US have skyrocketed to over a thousand a year.
Unfortunately, it seems we’ve taken the holistic approach a bit too far. Once the goal became to look everywhere for problems — well, you guessed it: people started finding problems everywhere. Between misconfigured systems, expired certs, poor WFH hygiene and potential zero-days, infosec teams now scan their entire networks from the inside and get back reams of vulnerabilities that would put courtroom stenographers to sleep. And all this at a time when diversity and complexity of applications has exploded as well.
With no way of seeing what these systems and vulnerabilities look like to attackers, security pros are forced to essentially play russian roulette with their patching. They fix as many gaps as they can while deploying practiced denial upon the rest.
I should make it clear that none of the fault here lies with the defender. If anything, it lies with security vendors who pitch set-it-and-forget-it solutions. While every security pro would love to buy software that makes their jobs easier, security is a process, not a state. It cannot be set and forget. The only way to keep a system resilient is to constantly question your own assumptions — scrutinizing and improving each component (including your security solutions.) There is always more to be improved.
So we’ve seen two systems, both flawed, make their way into mainstream security. Looking to protect one part of the network was not effective, and scanning the entire network for every flaw isn’t working out so well either. What’s next?
Where are we going? — The Offensive Security Era
Now we arrive at my favorite part of the journey: my part. Look, we can see a pattern coming together in the strategies that are half working: they’re all tasks that are essentially performed with a blindfold on.
If you spend your whole security budget on deadbolts, but your intruder has a skeleton key, well you may as well have stuck your security budget in a money market account and taken your annual 2–4 percent.
The next step is to actually observe the intruder. In fact, you want to sit down with your intruder after they breach you and ask them where your program went wrong and how to make their job harder next time.
Suddenly, that intimidating list of vulnerabilities you got can be prioritized. You know the key areas you need to devote your attention to where your efforts will have the maximum impact on reducing your overall risk and incident rate.
But it gets better. As security teams evolve to be more self-aware, not only does their system become stronger and more resilient to attack, but they are also able to measure the effectiveness of their existing security tools.
Now, you aren’t just looking at your network security — the whole cost/benefit analysis of your program changes. If you work at a large enough company, it’s possible your team’s security budget exceeds 10 million dollars a year. If that’s the case, learning which tools aren’t providing value could save you millions of dollars a year. Dollars that would generate far more ROI if they were devoted to growing the business or hiring more blue teamers.
What Does This Mean for You?
In some ways, security will never be done evolving, because the threat landscape will never be done evolving. As society’s processes — banking, healthcare, business ops, etc. — go digital, crime will become more digital. In response, we need lean, agile and dynamic solutions.
You need to rearrange your budget to make some room for offensive security solutions like ASM, pen-testing and red-teaming. This does not mean spending more money overall. The investing you make in measuring your own success will likely lead to consolidation of security tools and put millions of dollars back into your budget. Meanwhile, your security program’s real-world effectiveness will improve overnight as your risk drops.
When you advance your security tactics to catch up to the modern security landscape, you’ll find that not only does your program improve immediately, but the agility will make you future-proof so that when the threat landscape changes again in 10 years, you’re already agile and self-aware enough to meet those new challenges.